Tcpdump data collection

• Previous message (by thread): Tcpdump data collection
• Next message (by thread): Tcpdump data collection
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/12/2008, at 2:19 PM, Subba Rao wrote:

> Hello,
>
> I want to collect data on a network and map the data flow and system/ 
> port traffic. There are 2 scenarios of data collection here.  The  
> first is to collect IP traffic only.  In this method I do not want  
> the data portion of the IP packet (need IP address, source/ 
> destination ports etc).
>
> The second is to collect traffic that will show all the routing  
> protocols (non-IP) used on this network.  Today while collecting the  
> data, I saw several HSRP packets.  I don't know what portion of the  
> packet is sufficient to capture for this purpose.
>
> I used the "-s 0" option on tcpdump which captures the whole  
> packet.  That is making the dump file large.  Any help with the  
> filters is appreciated to capture the non-data portion of the packets.
>
> Thank you in advance.

I strongly recommend having a look through this to find out what rules  
you want (ie. plain English):
http://www.networksorcery.com/enp/default1002.htm

Then, go about mapping them in to tcpdump/pcap/bpf/whatever filter  
format, a quick Google suggests this as a good resource:
http://www.whitehats.ca/main/members/Malik/malik_tcpdump_filters/malik_tcpdump_filters.html


You might also consider using netflow instead of tcpdump, there are  
lots of tools available for processing netflow data in ways that are  
useful to network operators.

--
Nathan Ward

• Previous message (by thread): Tcpdump data collection
• Next message (by thread): Tcpdump data collection
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]